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Abstract. We prove a general form of bit flip formula for the 
quantum Fourier transform on finite abelian groups and use it to 
encode some general CSS codes on these groups. 

o : 

wo: 

2 ■ 1. Introduction 

<: 

In classical public key cryptography the security of the cryptosys- 
| terns are based on the difficulty of calculating certain functions. A 

famous example is the ASP cryptosystem which was based on the as- 
sumption that factoring large integers could not be done in polynomial 
Q\ ', time (on classical computers). The typical situation in these systems 

is that two parties (Bob and Alice) whish to communicate in secret. 
Instead of sharing a secrete key in advance (which confront us with the 
relatively difficult issue of secret key distribution), Bob announces a 
public key which is used by Alice to encrypt a message, sent to Bob. 
; The encryption is done in a clever way so that if a third party (Eve) 

wants to decrypt it a non feasible amount of calculation is needed. 
. Bob, however, has a secret key of his own which enables him to do the 

encryption in real time. 

Quantum cryptography has a different way of keeping things secret. 
The difficulty of some calculations is replaced by the impossibility of 
£> . some calculations according to the laws of quantum mechanics. The 

first example of the quantum key distribution protocol was published 
in 1984 by Bennett and Brassard [BB] which is now called BB84 code. 
The security of this protocol is gauranteed by the impossibility of mea- 
suring the state of a quantum system in two conjugate bases simultane- 
ously. A complete proof of security against any possible attack (i.e. any 
combination of physical operations permitted by the laws of quantum 
mechanics) was given later [LC], [M], [BBMR]. A simple proof of this 
fact is proposed by Shor and Preskill in [SP] . They first showed the se- 
curity of a modified Lo-Chau code which is a entanglement purification 
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protocol and uses EPR pairs. Then they showed that it is equivalent 
to a quantum error correcting code, namely the CSS code introduced 
independently in [CS] and [S]. This later code was constructed on the 
vector space {0, 1}™ after the classical binary codes. Finally they re- 
duced the CSS code to BB84. The basic idea of this final step was to 
avoid the quantum memory and reduce the encoding and decoding to 
classical computations. 

The encoding part in the CSS protocol in [SP] was based on the 
following property of linear codes: If C is a linear code then the value 
of Yl y ec(~^) X V is 1 or when x G C 1 - or x ^ C -1 , respectively. This 
is used to show that the Hadamard gate transforms the state 

L£(-inv+&> 

C ' y&c 
to the state 

V \ L I yeC ± 

In this paper we generalize this observation to the setting of arbitrary 
finite abelian groups (note that in linear coding theory {0, l} n is treated 
as a vector space, but it is also an abelian group). We show that for 
a finite abelian group G, a subgroup H, and elements a, b G G, the 
quantum Fourier transform sends the state 



to the state 

Yl Xb(z)\z + a) 



| if 



zeH 1 - 

where {x x '■ x G G} is a Fourier basis for G and H 1 - = {x G G : Xx(y) — 
1 (y G H)}. We use this to build a version of CSS code adapted to 
the group case. We show that the calculations of [SP] carries over 
and we can reduce this code to a generalized version of BB84 built on 
group G. The paper continues as follows. In section 2 we introduce 
the quantum Fourier transform on a finite abelian group G and prove 
the above statement. In section 3 we discuss quantum error correction 
codes and introduce the CSS code on G. In the last section we above 
mentioned two protocols and show their equivalence. 

2. quantum Fourier transform 

Let G be a finite abelian (additive) group. Let TC = CG be a Hilbert 
space with the orthonormal basis {\x) : x G G}, called the standard 
basis of 7i. There is a natural action of G on TC by translation 

x : \y) i-> \x + y) (x,y G G) 
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Note that CG is also an algebra under the convolution product 

xeG yeG z£G x+y=z 

A character on G is a nonzero group homomorphism \ '■ G — > T, where 
T is the multiplicative group of the complex numbers of modulus 1. 
The values x( x ) are | C |-th roots of unity. The set G of all characters 
on G is an abelian group with respect to the pointwise multiplication 
and is called the dual group of G. It is well known that \G\ = \G\ 
and so we may index the elements of G by elements of G, and write 
G = {xx '■ x G G}. Indeed in the finite group case we have, G ~ G, so 
we may assume that XxXy — Xx+ y and Xx(y) — Xy{ x )-> f° r eacn X ,U ^ G, 
and xo — 1- Also we have the Schur's orthogonality relations 

7771^2 Xy( x )Xz( x ) = Syz (y,zeG). 

' ' xeG 

For each x G G cosider the state 

1 1 s/eG 

then the above orthogonality relations imply that {\Xx) '■ x G G} forms 
a orthonormal basis for H, called the Fourier basis of Ti. This basis is 
translation invariant in the sense that 

x \Xy) = Xy( x )\Xy) ( x , V £ G) 

The quantum Fourier transform on G is the unitary operator Fq : 
H — > defined by 

Note that one can extend this map by linearity on Ti (see [J]). Two 
classical examples are G = 7L m where 

Xk(() = e 2mk / m k,£ = 0,...,m-l 

andG = {0, l} n where 

Xx(v) = (-I)'* (x,ye{0,l} n ) 

in which F G is the usual discrete Fourier transform DFT m on Z m and 
the Hadamard transform H n , respectively. 

Each element of G could be extended by linearity to a linear func- 
tional on CG. This is indeed a multiplicative functional with respect 
to the convolution product and G exhusts the set of all multiplicative 
linear functionals [R]. The well known Peter- Weil theorem applied to 
the finite group G, tells us that G is an orthonormal basis for the linear 
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dual space (CG)*. In particular (CG)* ~ CG. For each subset H C G, 
CH is a subspace of CG, generated by {\x) : x G if}. We put 

H ± = {xeG: X M = ± (y^H)} 

If H is a subgroup of G (we write if < G), then ff x ~ (G/ff )" [R]. This 
notion goes in parallel with the notion of the orthogonal complement 
L 1 - for a subspace L < CG. Of course (CH) 1 - and Cif- 1 are not the 
same (even the dimensions don't match). 

Lemma 2.1. If H < G and x G G^ 1 -, then there is K < if with 
[H : K] — 2 and x G H of order two such that H = K U K + xq, 
K H K + x = ®, and Xx(%o) = _ 1- 

Proof Consider the subspace L < CH with L x =< CH 1 -, x >. Then 
L has codimension 1 in CH, so we can write H — K U {x } f° r some 
7^ :r G if and K C H with L = CK and Cif =< f,x >. Since 
G if so x G ff + rco and therefore H C i^UfT + Xo- But is a group, 
so X U K + x C H , that is if = K U X + x . Now if X n K + x 7^ 0, 
then xq G f , which is not possible. To see that K is a subgroup of H 
take x,y & K, then x — y <E H = K U K + xq, but x — y G if + x would 
imply that x G CK = L which is again impossible, so x — y G K. 
Now K has exactly two cosets in H , so [H : K] — 2 and the group 
generated by x is isomorphic to the quotient group H/K of order 2, 
so Xq has order 2. In particular x^O^o) = 1 or —1. But x G (CK) 1 - so 
Xx(fc) — 1) f° r eacn k E K. Hence Xx(^o) 7^ 1 (otherwise x G H 1 -), and 
so Xx(^o) = -l.QED 

Lemma 2.2. For each x G G and H < G we have 



J2xx(y) 

yen 



\H\ ifxeH^ 
otherwise 



Proof If x G if then 

yeH yeH 

If x $l H 1 -, then with the notation of the above lemma 

^2xx(y) = ^2xx(y) + Yl Xx ( y "> 

yeH yeK yeK+x 

= ^Xx(y) + Y Xx(y + x Q ) 

yeK yeK 

= Y / (l + Xx(x )) X x(y) = O.QED 

yeK 

For each x,y G G let \x)(y\ be the rank one operator on Ti = CG 
defined by 

(\x)(y\)\z) = (y\z)\x) (z G G) 
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then one can decompose the quantum Fourier transform as a combina- 
tion of rank one operators. 



Lemma 2.3. F G = -±= J2 x , y eGXx(y)\y) {x\. 

Proof If Fq is defined by above formula, then for each z G G 



f g\z) = —f= Xx(y)\y)(x\z) = —= Xx(y)S xz \y) 

I I x,yeG V I I x,yeG 

1 = J2xx(y)\y)-QED 

yeG 



G 



Now we are ready to prove the main result of this section. 
Theorem 2.1. Let a,b G G and H < G and consider the state 



\/\rl\ ,_ „ 



then 



Fg\4>) = ^= £ X b (z)\z + a) 



Proof If we use the above lemma and the fact that 



Xz+b{y) = Xz(y)xb(y), Xz{y) = x y {z) (y, zeG) 



M. AMINI 



we have 



i 



1 



H 



H 



H 



H 



H 



Y Xx(y)\y)(x\J2x-a(z)\z + b) 



x,y€G 



Y J2xx(y)x-a(z)\y)(x\z + b) 

x,y£Gz£H 

^2J2xz+b(y)X-a(z)\y) 

yeGzeH 

^y^Xz{y)xb{y)x-a{z)\y) 

yeGzeH 

^y^Xy{z)Xb{y)x-a{z)\y) 

yeGzeH 

J2J2xb(y)xy-a(z)\y) 

yeGzeH 



HTm (]W\ S *y-^ z )) ( Y My) \y)) 

V\ H \ \ n \ zeH veG 



Y Xb(y)\y) 



y-a&H 1 - 



= Y xi >( z + a )\ z + °) 



zeH 1 - 



Xbja) 

Xa(b) 



Y Xb(z)\z + a) 



zeH 1 - 



Y Xb{z)\z + a).QED 



z£H A 



3. QUANTUM ERROR CORRECTING CODES 

A quantum channel Q is a trace preserving completely positive linear 
map 

Q ■ 7~tin ^ T~^out 

We can decompose Q as 

q(p) = Ya 1 p4, 

iei 

where A^s are error operators with ^2 ieI A\Ai equal to the identity 
operator. In general Q is not invertible, unless restricted to a subspace. 
A subspace C < Hi n is called a quantum error correcting code( QECC) 
for Q if there is a decoding operator D such that 
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or equivalently 



P C A\A,P C = a M P c (k,£el) 



for some constants aw, where Pq is the projection operator onto C [K]. 

Now let G be a finite abelian group and G n = Gx- ■ -xG (n copies). 
A subgroup C < G n with k = \C\ is called a [n, k] G code. Elements of 
G n are words ) and the words in C are called codewords. 

For x, y G G n , the distance d(x,y) is the number of coordinates in 
which x and y differ. The weight of a word x is the number wt(x) of 
its nonzero coordinates, where zero is the identity of G. A [n, k]a code 
with minimum distance d is called a [n, k, d]o code. When G = (F 2 , +), 
this is nothing but the classical binary code [n,log2(k),d]. 

Suppose C\ and C2 are [n, k\\c and [n, ^Jg codes with C 2 < Ci and C\ 
and both correct t errors. We define a quantum code CSSg(C\, C 2 ) 
capable of correcting errors on t qubits. For a codeword x G C\ put 



Note that \x + C 2 ) only depends on the coset of C1/C2 to which rr + C 2 
belongs. Also \x + C 2 ) is orthogonal to \y + C 2 ), if x and y are repre- 
sentatives of different cosets of C 2 . The quantum code CSSg{Ci, C 2 ) is 
defined on the vector space spanned by the states \x + C 2 ) , where x 
ranges in C\. In particular the dimension of CSSaiCiiC-i) is |Ci|/|C 2 |. 

Suppose that a bit flip and a phase flip errors have occured. These 
are described by two "n bit" vectors ei,e 2 G G n . If |V>) — \x + C 2 ) is 
the original state, then the corrupted state would be 



as in the binary case, the encoding process starts with introducing a 
ancilla (of sufficient length) initially in the all zero state |0). We apply 
the parity matrix Hi for the code C\ taking \x + y + ei)|0) to 



where the above equality follows from the fact that x + y G C\ , and so 
Hi(x + y) = 0. The effect of this operation on |^i)|0) is 



Now error detection for the bit flip error is simply done by measuring 
the ancilla. This gives us H\e\, from which we can infer e±, since C\ 
can correct up to t errors. The result of discarding the ancilla is the 

state 





x + V + e 1 )\H 1 (x + y + e x ) 



x + y + e^lHid) 
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Next applying the U\ : \z) \— > \z — ei) unitary gate to this state, we 
obtain 

1 - 

|-03> = —7= Yl ^ X + y)\ x + v) 

V M yeC2 

The next step is applying the quantum Fourier transform F^n = Fg ® 
• • • <S> Fq (n times) to j^). Using Theorem 2.1 (applied to G n with 
H = C 2 , a = — e 2 , and b = x) we get 

1^4) = F G n|^ 3 ) = Xe 2 (^)Fs"(^= Yl Xe 2 (y)\y + x)) 



S/GC 2 



y&C^ 



= "T^Tr Yl Xx(y)\y-e 2 ) 

As for the error detection for the bit flip, we introduce an ancilla and 
apply the parity matrix H 2 for to obtain H 2 (—e 2 ), and correct the 
phase flip error (now showing up as a bit flip error), obtaining the state 

IV^) = -J= *x{y)\y) 
vl c 2 1 yeC ± 

Again applying Fqu and using Theorem 2.1 (with H = C^, a = —x, 
and b = 0) we get 

l^ 6 > = F Gn \^) = *=M xo(y)\y - x) 

V K-2 



S/GC 2 

Finally, applying the C/J : |z) 1— > |z + x + x) unitary gate to this state, 
we get back our original state 



.7;) 



with a slight modification of the above proof, we have 

Theorem 3.1. Suppose C\ andC 2 are [n, ki,di]o and [n,k 2 ,d 2 ]G codes 
with C 2 < C\, let V = {vi, . . . ,Vk} be the set of representatives of the 
quotient group C\jC 2 , then the k — |^ mutually orthogonal states 



C 2l y€C 2 

are a basis for a quantum error correction code C < 7i® n , where 7i = 
CG is the group algebra of G. The code can simultaneously correct at 



ERROR CORRECTION 



9 



least I^y^ \ spin flip errors and [^^"J P^ ase flw errors. Its minimum 
distance is d > mindi,d 2 . We denote this QECC by CSSq(Ci,C2) or 
[[n,k,d]] G . 



4. A QUANTUM ERROR CORRECTION PROTOCOL 

In this section we use a version of the quantum error correction code 
CSSg(Ci,C 2 ) to write a quantum error correction protocol similar to 
the protocol introduced in [CS] (for the case G = F 2 ). Let C\ and C 2 
be as in the Theorem 3.1, for each x 6 Cj 1 and z G C 2 consider the 
quantum error correction code CSS G ,x (Ci,C 2 ) with codeword states 

\i>v,z,x) = —i= Xz{w)\v + W + X) 



weC 2 

where v ranges over the representatives of the |Ci|/|C2| cosets of C 2 in 
C\ (we use the notation [v] as an abbriviation for the coset v + C 2 . Note 
that the number of these states is 

\d\/\C 2 \.\C 2 \.\Ci\ = \G n \ = \G\ n 

We show that these states are mutually orthogonal, and therefore form 
a basis for an |G| "-dimensional vector space. 

Lemma 4.1. E 2e c 2 l^wK^Wl = Y. w &c 2 \v + w + x) (v + w + x\ 

Proof Using Lemma 2.2 applied to G n (with H = C 2 and x = 
wi — w 2 ) we have 



^ \^v,z,x){^v,z,x\ — j^-j ^ Xz(w 1 -w 2 )\v + w 1 + x)(v + w 2 + x\ 

z£C 2 2 Z6C2 Wl,W 2 €C 2 

= {t^1^2xw 1 - W2 (z))\v + w 1 + x)(v + w 2 + x\ 

wi,ui 2 eC2 2 zec 2 

= ^2 °~w u w 2 \v + Wi + x) (v + w 2 + x\ 

u>i, w 2 ec 2 

= ^2 \v + w + x) (v + w + x\.QED 

w€C 2 

Let us use the abbreviation Yl v z x to denote the summation over all 
[v] e Ci/C 2 , z e C 2 , and x e C{ . 

Lemma 4.2. J2 VZX \i/) v ,z,x) (i>v,z,x\ — I> ^e identity operator on CG n . 
By above lemma 

\^v,z,x){lpv,z,x I = S \ V + W + X )( V + W + X \ 

v,z,x v,x w£C 2 
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but each y G G n has a unique decomposition y = v + w + x, for some 
[v] G C1/C2, w G C 2 , and rr G Cj 1 . Therefore the last sum is the same as 

]T |i/)<i/| = J.Q££> 

A similar argument proves 

Lemma 4.3. J2 v ,z,x = E^g™ \y)\y)- 

Now we are ready to present our quantum error correction proto- 
col. It is based on the modified Lo-Chau protocol[LC] and follows the 
presentation of a similar construction as reported in [NC]. It uses our 
quantum error correction code to perform entanglement distillation. 
The basic difference here is the meaning of a "qubit". For us a qubit is 
a basis element of H, — CG, namely a state of the form \t), where t G G 
(bit has a similar meaning). Also let us remind that the standard basis 
of H is {\t) : t G G}. So for the given finite abelian group G, we have 
the following protocol. 

QKD protocol: CSS G codes 

1: Alice creates n random check bits, a random m bit key k, and two 
random n bit strings x and z. She encodes \k) in the code CSSq X {C\, C2). 
She also encodes n qubits according to the check bits. 

2: Alice randomely chooses n positions (out of 2n) and puts the 
check qubits in these positions and the encoded qubits in the remaining 
positions. 

3: Alice selects a random 2n bit string b and performs a Fourier 
transform F G on each qubit for which b is not (0 is the identity of 
G). 

4: Alice sends the resulting qubits to Bob. 

5: Bob receives the qubits and publicly announces this fact. 

6: Alice announces b, z, x, and which n qubits are to provide check 
bits. 

7: Bob performs the Fourier transform on the qubits where b is not 

0. 

8: Bob measures the n check qubits in the standard basis, and pub- 
licly shares the results with Alice. If more than t of these disagree, 
they abort the protocol. 

9: Bob decodes the remaining n qubits from CSS G ,x (Ci,C2)- 

10: Bob measures his qubits to obtain the shared secret key k. 

A series of remarks are in order. We have emplyed CSSg(Ci,C2) 
code, which we assumed to encode m qubits in n qubits and correct 
up to t errors. The Alice's n EPR pair state may be written as the 
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equal states given in Lemma 4.3. Note the lables are separated to 
indicate the qubits Alice keeps, and the ones she sends to Bob. If Alice 
wants to measure her remaining qubits according to the check matrix 
for CSSq(Ci,C2), she obtains random values for x and z, and if she 
wants to measure the m EPR pair in the standard basis, she obtains 
a random choice of v. Then the remaining n qubits are left in the 
state |VVz,rr), which is the codeword for v in C SSq X {€1,62) and is the 
encoded version of the state k). 

Following [SP] , one may do the following modifications in the proto- 
col. Bob measures his qubits in the standard basis (which is e version 
of the Z basis in the binary case) after decoding so the phase correction 
sent as z by Alice is irrelevant. Therefore, instead of decoding and then 
measuring, Bob can immidiately measure to obtain v + w + x (up to 
some error), then decode (classically ) as follows. He can subtract the 
annonced value of x and coorect the result to a codeword in Ci, which 
would be v + w if the distance of the code is not exceeded. Then the 
key k is the coset v + w + C2 in C\. Now as Alice need not reveal z, she 
is effectively sending a mixed state averaged over random values of z, 
which by Lemma 4.1 is 



To create this state, Alice only needs to choose w G C2 randomely 
and construct \v + w + x) with her random values of x and k. Also if 
Alice happens to choose v G C\ (rather than [v] G C1/C2), then w is 
unnecessary. In this case, Alice may choose x at random, send \x) so 
that Bob receives and measures x (with some error), then Alice sends 
x — v, which is subtracted by Bob to obtain v (with some error). This 
leaves no difference between the random check bits and the code bits. 
Finally to avoid the performance of the Fourier transform by Alice, she 
can encode her qubits in the standard basis {\t) : t G G} or the Fourier 
basis {\xt) '■ t G G}, according to the bits of b, where 



Then Bob could measure the received qubits randomely in the stan- 
dard or Fourier bases. When Alice subsequently annonces b, they can 
keep only those bits for which their bases were the same. As they are 
most likely to discard half of their bits, they should start with a little 
more than twice the number of original random bits. This way Alice 
can delay her choice of check bits until after discarding. This allows 
us to avoid the use of quantum memory and perform the encoding 
and decoding classically. Summing up we have the following version of 
BB84, adapted to the group G. 





QKD protocol: BB84 G codes 



12 



M. AMINI 



1: Alice creates (4 + S)n random bits. 

2: Alice creates for each bit a qubit in the standard or Fourier basis, 
according to a random bit string h (uses standard basis if at bits for 
which b is 0, and the Fourier basis otherwise). 

3: Alice sends the resulting qubits to Bob. 

4: Alice chooses a random v 6 C\. 

5: Bob receives the qubits, publicly announces this fact, and mea- 
sures each in the standard or Fourier basis at random. 

6: Alice announces b. 

7: Alice and Bob discard those bits Bob measured in a basis other 
than the one instructed by b. With high probability, there are at least 
2n bits left (if not abort the protocol). Alice decides randomely on a 
set of 2n bits to continue to use, randomely selects n of these to be 
check bits, and announces the selecrtion. 

8: Alice and Bob publicly compare their check bits. If more than t 
of these disagree, they abort the protocol. Alice is left with the n bit 
string x, and Bob with x + e. 

9: Alice annonces x—v. Bob subtracts this from his result, correcting 
it with code C\ to obtain v. 

10: Alice and Bob compute the coset v + C2 in C1/C2 to obtain the 
key k. 
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